Mount only what's needed in the chroot jail

devfs and sysfs were problematic since they were being mounted as
tmpfs, which is r/w. For example, the Python process could write to
cgroups. Now, only what is needed to run Python gets mounted. This
boils down to the venv itself and some shared libraries Python needs.

* Use a config file for NsJail instead of command-line options
* Map 65534 (nobody) user & group inside the user namespace to 65534
  outside the namespace rather than mapping to current uid/guid (which
  was 0 AKA root)

1 files changed, 1 insertions, 17 deletions

diff --git a/scripts/.profile b/scripts/.profile
index daaf1dd..47ee141 100644
--- a/scripts/.profile
+++ b/scripts/.profile
@@ -15,23 +15,7 @@ nsjpy() {
     echo "${MEM_MAX}" > /sys/fs/cgroup/memory/NSJAIL/memory.memsw.limit_in_bytes
 
     nsjail \
-        -Mo \
-        --rlimit_as 700 \
-        --chroot / \
-        -E LANG=en_US.UTF-8 \
-        -E OMP_NUM_THREADS=1 \
-        -E OPENBLAS_NUM_THREADS=1 \
-        -E MKL_NUM_THREADS=1 \
-        -E VECLIB_MAXIMUM_THREADS=1 \
-        -E NUMEXPR_NUM_THREADS=1 \
-        -R/usr -R/lib -R/lib64 \
-        --user 65534 \
-        --group 65534 \
-        --time_limit 2 \
-        --disable_proc \
-        --iface_no_lo \
-        --cgroup_pids_max=1 \
-        --cgroup_mem_max="${MEM_MAX}" \
+        --config "${NSJAIL_CFG:-/snekbox/snekbox.cfg}" \
         $nsj_args -- \
         /snekbox/.venv/bin/python3 -Iq -c "$@"
 }